Forum Discussion
SiddharthRajD
Feb 01, 2022Copper Contributor
Parse string in Azure Sentinel
Hello, we want to parse out the "subscription ID" as a field from the following string. Please let me know how can I do that?
Column Name | string |
privateLinkServiceId_ | /subscriptions/"SubsriptionID"/resourceGroups/"RG-Name"/providers/Microsoft.Storage/storageAccounts/"Name" |
Existing query ( please suggest what needs to be appended) :
AzureActivity | search "entity"
| extend privateLinkServiceId_ = tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).requestbody)).properties)).privateLinkServiceConnections))[0].properties)).privateLinkServiceId)
- Clive_WatsonBronze Contributor
AzureActivity | extend entity_ = tostring(parse_json(Properties).entity) | where isnotempty(entity_) | parse entity_ with * '/subscriptions/' subscription_ '/' * | project subscription_
However SubscriptionId is already a column in that Table, so you can just do
AzureActivity | extend entity_ = tostring(parse_json(Properties).entity) | where isnotempty(entity_) | project SubscriptionId